named -- using which port?

icechong · 01-30-2007, 01:41 AM

Hi there,

I have just setting up a BIND server. when i activate the iptables allow ONLY TCP port 53(others all drop), the BIND server doesnt work well anymore.

other than port 53, which port or any other thing i should open up?

thanks.

acid_kewpie · 01-30-2007, 01:58 AM

well DNS is 99% UDP... don't drop UDP/53.

icechong · 01-30-2007, 02:18 AM

Quote:

Originally Posted by acid_kewpie

well DNS is 99% UDP... don't drop UDP/53.

how about TCP/53?

acid_kewpie · 01-30-2007, 02:32 AM

what about it... that'll be about 1% if that. TCP would only be a last resort for dns if the client even supports it. most dns servers won't listen for TCP at all.

icechong · 01-30-2007, 05:57 AM

Hi Acid_kewpie,

problem solved after i allow UDP/53. thanks very much for your support.

icechong

nx5000 · 01-30-2007, 06:09 AM

AFAIK TCP will be used for reliable long queries or for zone transfers.
So if you block TCP/53 you might get intermitent failures in case udp packets are reorderd.
I wouldn't block TCP/53. rfc says that both transport methods can be used.